{ "id": "ea50871d-6809-483c-8777-07924f8c9419", "created_at": "2026-04-06T00:13:45.146638Z", "updated_at": "2026-04-10T13:12:19.387769Z", "deleted_at": null, "sha1_hash": "21d17d8989661a5be08a19a688c6e33dc67b4022", "title": "COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1397089, "plain_text": "COVID-19 and New Year greetings: an investigation into the tools and\r\nmethods used by the Higaisa group\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 14:20:17 UTC\r\nIn March 2020 specialists from the PT Expert Security Center conducted an analysis on the activities of the APT group\r\nHigaisa. This group was first studied by security analysts at Tencent in November 2019. In that analysis, Tencent specialists\r\nreached the conclusion that Higaisa has its origins in South Korea. The group, which is still active today, can be tracked all\r\nthe way back to 2009. According to the Tencent analysis, Higaisa's main targets have been government, public, and trade\r\norganizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations.\r\nHigaisa distributes messages containing real news and information on current events to initially spread their malware. They\r\nhave also used messages containing seasonal greetings, which congratulate their recipients on holidays such as New Year,\r\nthe Chinese Lantern Festival, and North Korean national holidays. In most cases the messages are written in English,\r\nimplying that English-speaking countries could also be targets.\r\nWith the recent prevalence of the coronavirus (COVID-19) pandemic, many APT groups, including Gamaredon, SongXY,\r\nTA428, Lazarus, Konni, and Winnti, have been using the topic of COVID-19 in their email distributions. Higaisa is no\r\nexception.\r\nThis article is an investigation into one of the malicious files created by Higaisa. The file was discovered by security experts\r\non March 11 while conducting another study on information security threats. The file is also compared with earlier files, and\r\nobserved changes are noted and analyzed.\r\nObject #1: File 20200308-sitrep-48-covid-19.pdf.lnk\r\nFigure 1. PDF document containing a World Health Organization (WHO) report\r\nStage 1. Shortcut\r\nThe malware originates from a file called 20200308-sitrep-48-covid-19.pdf.lnk, which is concealed as a PDF file.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 1 of 13\n\nFigure 2. Contents of the LNK file\r\nThe file is a .lnk shortcut with the icon of a PDF document. When opened, the command cmd.exe /c is executed with the\r\nfollowing command string (note: line breaks and spaces have been added for readability):\r\nFigure 3. The command string executed by the shortcut\r\nAs a result, copies of the shortcut and a file called C:\\Windows\\System32\\CertUtil.exe (under the name of msoia.exe) are\r\nplaced into a temporary folder. Instead of directly using the name CertUtil.exe, the file mask *ertu*.exe and the for\r\ncommand are used to conduct search, bypassing filename signatures.\r\nBy launching findstr.exe, the Base64-encoded payload at the end of the LNK file is retrieved and then decoded using\r\nCertUtil.exe (msioa.exe).\r\nStage 2. Archive\r\nThe decoding results in a CAB archive, which is unpacked into the same %tmp% folder and contains the following files:\r\n3UDBUTNY7YstRc.tmp (DLL, used for autorun)\r\n9sOXN6Ltf0afe7.js (installation script)\r\n486AULMsOPmf6W.tmp (a legitimate executable file used for autorun)\r\n20200308-sitrep-48-covid-19.pdf (the original WHO report, used as bait)\r\ncSi1r0uywDNvDu.tmp (XSL; contains part of the installation code written in VBScript)\r\nMiZl5xsDRylf0W.tmp (installer payload)\r\nAfter the files have been retrieved, the malware moves to the next stage in the process of achieving persistence in the\r\nsystem, launching the file 9sOXN6Ltf0afe7.js.\r\nStage 3. JS script. Part one.\r\nThe script is written as one line:\r\nFigure 4. A fragment of the code from 9sOXN6Ltf0afe7.js\r\nIn effect, the script executes the following console commands:\r\nFigure 5. Console commands in 9sOXN6Ltf0afe7.js\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 2 of 13\n\nA folder with the name cscript.exe is created in the temporary folder called %tmp%. The original script interpreter,\r\ncscript.exe, is then copied into this folder with the name msproof.exe. An XSL file by the name of WsmPty.xsl is copied in as\r\nwell. This is what the XSL file looks like:\r\nFigure 6. A fragment of the code in WsmPty.xsl\r\nA legitimate script, %windir%\\System32\\winrm.vbs (a console tool for work with the Windows Remote Management API),\r\nis launched using the interpreter. It is then passed the command get wmicimv2/Win32_Process?Handle=4 and the output\r\nformat: format:pretty.\r\nWhen this format is specified, winrm.vbs is pulled from the directory where the interpreter cscript.exe and the file\r\nWsmPty.xsl are located. winrm.vbs is used to format the command output (regardless of whether it was successfully\r\nexecuted). This will then run the VBScript code embedded in the file.\r\nThis method, described by Matt Graeber in 2018, bypasses application whitelisting restrictions to run unauthorized code.\r\nThere is one essential condition for winrm.vbs to work—the string cscript.exe must be present in the path to the interpreter.\r\nThis is why the folder that it is copied into is created with this particular name.\r\nStage 4. XSL\r\nThe VBScript code that is launched contains a hex string and code that are responsible for decoding and executing the file.\r\nHere you can see the code with all hex strings converted into bytes and deobfuscated variable names:\r\nFigure 7. Deobfuscated VBScript code\r\nEssentially, what the code does is create a file called OFFICE12 in the user profile, as well as a shortcut called\r\nAccessories.lnk in the startup directory. The shortcut does not directly launch the payload, instead using the function\r\nFileProtocolHandler from the url.dll library:\r\nC:\\Windows\\System32\\rundll32.exe C:\\Windows\\system32\\url.dll,FileProtocolHandler %UserProfile%\\OFFICE12\\MSOSty\r\nAdditionally, a file called 2m7EBxdH3wHwBO.tmp is created in %tmp% via the function Write4D5A90. This file contains\r\nthree bytes from the beginning of an EXE file: 0x4D, 0x5A, 0x90.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 3 of 13\n\nStage 3. JS script. Continuation\r\nOnce the VBScript in XSL has been run, console commands launched by the JS code continue to be executed. Three files\r\nare copied into the folder OFFICE12 that was created in the user profile. Those files are:\r\nMSOSTYLE.EXE\r\nOINFO12.OCX\r\nWordcnvpxy.exe\r\nThe last file, which is the payload, is built from the three-byte introductory string created by VBScript and from\r\nMiZl5xsDRylf0W.tmp, which was unpacked earlier. The result is a valid .exe file.\r\nMSOSTYLE.EXE is a legitimate file from the Microsoft Office 2007 package. It is responsible for sideloading the dynamic\r\nlink library OINFO12.OCX.\r\nOINFO12.OCX contains the code for executing the final payload:\r\nFigure 8. Launching Wordcnvpxy.exe in DllMain\r\nIt also contains code in exported functions that is not actually run (we suspect that this is part of an attempt to avoid\r\ndetection in sandbox environments):\r\nFigure 9. The code of GetOfficeData()\r\nFigure 10. The code of DeleteOfficeData()\r\nThe last step in the script is to open the PDF file that was used as bait.\r\nWordcnvpxy.exe downloader\r\nThe payload is an application that creates a hidden window (the name of the class and the window is SK_Parasite).\r\nFigure 11. Window creation and event processing loop in Wordcnvpxy.exe\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 4 of 13\n\nEssential functions are loaded dynamically. Base64 with the following non-standard alphabet is used to decode library\r\nnames: z2bqw7k90rJYALIQUxZK%sO=hd5C4piVMFlaRucWy31GTNH-mED8fnXtPvSojeB6g. Instead of using function\r\nnames, their hashes are used, using SuperFastHash algorithm.\r\nFigure 12. Dynamically loaded libraries\r\nThe main code is run in a separate thread: every 10 minutes, the application contacts the C\u0026C server\r\nmotivation[.]neighboring[.]site and passes it the computer's identifier in the User-Agent string. The identifier is a\r\nSuperFastHash of the system volume serial number and the name of the computer.\r\nFigure 13. Main downloader cycle\r\nThe response from the server is saved into a temporary file. If the response contains at least 10 bytes, it is decoded from\r\nBase64 and divided into two segments separated by the symbol $. The first segment contains the RC4-encoded executable\r\nfile, and the second contains its filename without an extension.\r\nFigure 14. Processing the server response\r\nThe method used to construct a key for decoding the RC4 encryption is interesting. It is generated via a recurrent sequence\r\nthat begins with two numbers (28 and 39), and every subsequent number equals the sum of the previous two, mod 255. The\r\nkey consists of 64 bytes and begins with the first sum in the sequence. The key is later expanded to 256 bytes (by looping)\r\nand is used in the standard RC4 algorithm.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 5 of 13\n\nFigure 15. Generation of the RC4 key in Wordcnvpxy.exe\r\nThe executable file received from the server is saved in %TEMP% with the specified name and is then launched.\r\nObject #2: 邀请函.doc (Invitation card.doc)\r\nThis is an RTF file containing a congratulatory statement:\r\nFigure 16. Document with holiday greetings\r\nThe document was created using the popular builder 'Royal Road RTF' (also known as 8.t), which exploits the CVE-2018-\r\n0798 vulnerability in Microsoft Equation Editor. This builder is not publicly accessible, but is widely used by Chinese APT\r\ngroups, including TA428, Goblin Panda, IceFog, and SongXY. The name '8.t' originates from the fact that the malware\r\ncreates a file called 8.t containing the encoded payload in a temporary folder.\r\nExploitation results in the creation of a file called %APPDATA%\\microsoft\\word\\startup\\intel.wll. This file is a DLL\r\ndropper, which is loaded the next time Microsoft Word is launched. Its payload consists of two files:\r\n%ALLUSERSPROFILE%\\TotalSecurity\\360ShellPro.exe and %ALLUSERSPROFILE \\TotalSecurity\\utils\\FileSmasher.exe.\r\nThe files are encoded using xor 0x1A.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 6 of 13\n\nFigure 17. The main function in the intel.wll dropper (fragment)\r\nThe dropper achieves persistence in the system by creating a shortcut in the startup directory that launches\r\n%ALLUSERSPROFILE%\\TotalSecurity\\360ShellPro.exe with key /func=5. This file is a modified component of the\r\nantivirus tool 360 Total Security, and is used to transfer control to the downloader FileSmasher.exe via a method similar to\r\nDLL side-loading.\r\nThe legitimate 360ShellPro.exe file contains a number of relative paths to the executable file. The correct file is selected and\r\nlaunched depending on the value of the argument /func=.\r\nFigure 18. File selection based on the func parameter\r\nFileSmasher.exe downloader\r\nIn many ways, FileSmasher.exe resembles Wordcnvpxy.exe. It is also a windowed application (class name: NIS_K).\r\nHowever, in this case, the relevant code is launched using a 10-minute timer, not a separate thread.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 7 of 13\n\nFigure 19. Window creation, timer set-up, and event processing loop in FileSmasher.exe\r\nDynamic DLL loading is not used (all imports are static) and the address of the C\u0026C server is restored using a similar RC4\r\ndecoding function (instead of decoding from Base64 with a nonstandard alphabet). However, the initial elements in the\r\nseries used to generate the key have different values (8 and 5), and the generative algorithm is fully repeated.\r\nFigure 20. RC4 key generation in FileSmasher.exe\r\nThe CRC32 from the system volume serial number is used as an infected machine identifier. It is passed explicitly as a GET\r\nparameter. The following is the full address that the downloader uses to access the server:\r\nhttp://walker[.]shopbopstar[.]top/blog/index.php?ei={32 random chars}\u0026ti={volume serial CRC32}\r\nFigure 21. Construction of a URL to access the monitoring server, from FileSmasher.exe\r\nThe loading algorithm is practically identical:\r\nThe server response is saved in a temporary file and is processed only if it contains at least 10 bytes.\r\nIn contrast to Wordcnvpxy.exe, there is no Base64 decoding.\r\nThe response is divided into two parts using an ampersand (\u0026) instead of a dollar sign ($).\r\nThe first segment is also an executable file encrypted with RC4, and the second part is its name without an extension.\r\nThe file is decoded using the same function that is responsible for decoding the address (the RC4 key parameters are\r\n8 and 5).\r\nThe loaded file is launched using CreateProcess.\r\nIt is worth noting that the resource files for Wordcnvpxy.exe and FileSmasher.exe include a dialogue window, \"About,\"\r\ncontaining the application's name and copyright information.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 8 of 13\n\nFigure 22. The \"About\" dialogue window from the resources included in FileSmasher.exe\r\nThis window as well as other resources (Menu, Accelerators) are generated by Visual Studio when the project is created. In\r\nthe case of Wordcnvpxy.exe, the application name indicated in the dialogue window matches the name of the window's class\r\n(SK_Parasite). However, this is not the case for FileSmasher.exe. Here, the application is called AttackBot, and in its case\r\nwe see the abbreviation NIS, which we saw earlier in the name of the window class (NIS_K).\r\nExperts at Tencent drew a connection between Higaisa and the Republic of Korea and identified its main targets as North\r\nKorean government and trade organizations. This suggests that NIS could stand for National Intelligence Service (The\r\nNational Intelligence Service of the Republic of Korea). SK_Parasite could be a reference to the South Korean film Parasite\r\n(released in 2019). Alone, these data are insufficient to draw firm conclusions; however, they can be seen as circumstantial\r\nevidence for a connection with South Korea.\r\nRelated objects\r\nThe contents of the initial document (New Year greetings) and the date the file was created (22.12.2019) specify the period\r\nduring which it was used. However, it is not the only object of its kind. Analysts at Tencent identified another distribution of\r\nmalicious files during the same period. In that case the filenames were Happy-new-year-2020.scr and 2020-New-Year-Wishes-For-You.scr. These files are executable and use a congratulatory JPG file as bait. The image is dropped from an\r\nexecutable file and opened in the default viewer.\r\nFigure 23. The image contained in Happy-new-year-2020.scr\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 9 of 13\n\nFigure 24. The image contained in 2020-New-Year-Wishes-For-You.scr\r\nOther than the exploitation of the CVE-2018-0798 vulnerability, the structure of these threats is effectively identical to the\r\nRTF document. SCR files are droppers whose payload is decrypted using xor 0x1A and unpacked into the subdirectory of\r\n%ALLUSERSPROFILE%.\r\nFigure 25. The main function in 2020-New-Year-Wishes-For-You.scr dropper (fragment)\r\nThe payload consists of a legitimate executable file (rekeywiz.exe from Windows 7 is used) and the DLL downloader\r\nDuser.dll. The legitimate file is added to startup using a shortcut.\r\nThe downloader decrypts the URL using RC4 (the initial values are 8, 5 and 9, 5) and adds a random string and the CRC32\r\ncomputer identifier into the GET parameter.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 10 of 13\n\nFigure 26. Construction of a URL to access the control server, from Duser.dll (2020-New-Year-Wishes-For-You.scr dropper)\r\nThe downloader instance unpacked from 2020-New-Year-Wishes-For-You.scr to establish a connection with the C\u0026C server\r\nuses a statically linked libcurl library. The other instance uses statically imported functions from the winhttp.dll library, just\r\nlike FileSmasher.exe.\r\nThe server is accessed at the following addresses: http://adobeinfo[.]shopbopstar[.]top/notice/index.php and\r\nhttp://petuity[.]shopbopstar[.]top/research/index.php.\r\nIn both cases data is received from the server in the same format as in FileSmasher.exe.\r\nRegardless of the fact that neither of the droppers that we have described actually create any windows, they do contain a\r\nstandard set of window resources, including the \"About\" dialogue window. The strings \"K_NIS\" and \"KISA\" are used as\r\napplication names.\r\nC\u0026C server responses\r\nTwo types of components were used as the payloads distributed by the C\u0026C server:\r\nThe system information collector (InfoStealer), which essentially provides the function of running the console\r\ncommand systeminfo \u0026 ipconfig -all \u0026 tasklist \u0026 net view \u0026 dir c:\\ \u0026 dir c:\\users\\ \u0026 dir d:\\ \u0026 dir e:\\ and relays the\r\nresponse to the command server.\r\nGh0st RAT in a variety of modified forms, particularly with all essential functionality implemented in DLL plug-ins\r\nloaded from the C\u0026C server.\r\nThese instances of Gh0st RAT are interesting when compared with the publicly accessible source code, as they implement a\r\nnon-standard encryption of incoming and outgoing data. In packets containing less than 10 payload bytes (not including the\r\nheader), the first 10 bytes are processed with a 0x12 xor key. The bytes 0x0 and 0x12 are left unchanged. Data are\r\ncompressed with LZO instead of zlib.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 11 of 13\n\nFigure 27. Decompiled code of the function CClientSocket::OnRead\r\nIn addition, the m_bPacketFlag field (the signature of packets sent to the command sever) is initialized with a\r\npseudorandom value calculated using the value returned from calling GetTickCount(). In the original code, the field is equal\r\nto Gh0st.\r\nFigure 28. Initialization of the field CClientSocket::m_bPacketFlag\r\nConclusion\r\nThe results of our study demonstrate how the malicious objects used by the Higaisa group have evolved over time.\r\nBeginning with a simple distribution of executable files, they shifted towards utilizing exploits and complex multi-stage\r\nthreats. However, the structure of their tools (such as droppers and downloaders) remained largely unchanged. To deter\r\ndetection, the attackers modified details such as the control server URL, RC4 key parameters, the legitimate files used for\r\nDLL side-loading, and the libraries used for HTTP interaction.\r\nAuthor: Alexey Zakharov, Positive Technologies\r\nIOCs\r\nFilename MD5 SHA-1 SHA-256\r\n20200308-sitrep-48-\r\ncovid-19.pdf.lnk\r\n21a51a834372ab11fba72fb865d6830e 9ceb6e0e4ad0a2c03751d0563a82a79ebb94ec95 95489af84596a21b6fcca07\r\noGhPGUDC03tURV.tmp 37f78b1ad43959a788162f560bdc9c79 992d530d4bb35fb8dbdfb690740ead6e0fa974ec f74199f59533fbbe57f0b2aa\r\nOINFO12.OCX 83d04f21515c7e6316f9cd0bb393a118 e00b982a14835dae781bbbe06055d7d18acc6eb0 a49133ed68bebb66412d3eb\r\n9sOXN6Ltf0afe7.js 4f8ff5e70647dbc5d91326346c393729 2fd4eb78e53af6a5b210943ca8f0e521bb567afb 70b8397f87e4a0d235d41b0\r\nMSOSTYLE.EXE 371e896d818784934bd1456296b99cbe 88f23b0913ef5f94cd888605504e1e54c3a6e48f 604679789c46a01aa320eb1\r\n20200308-sitrep-48-\r\ncovid-19.pdf\r\nfaf5ef01f4a9bf2aba7ede67dcc5a2d4 4e0c1a05360c6bebf903a708acf6792b13f43870 2dd886cc041ea6e5e80880c\r\ncSi1r0uywDNvDu.tmp eefeb76d26338e09958aae5d81479178 c400e10a8f2b5b62f919033e2db0a1f99b1a3c38 9d52d8f10673518cb9f1915\r\nMiZl5xsDRylf0W.tmp c1d8966fa1bd7aee41b2c4ad731407d3 6e7e3277801669f3053bf364ae6be89f00017c89 b578a237587054f351f71bd\r\nWordcnvpxy.exe fd648c3b7495abbe86b850587e2e5431 d0e0d641f3a063fb02c7f862ea8586312af5fa2e 002c9e0578a8b76f626e59b\r\nFilename MD5 SHA-1 SHA-256\r\n邀请函.doc 2123bf482c9c80cb1896ff9288ad7d60 ea02db9b92cbf1d243b502d130aa2dd6c98637d2 500b6037ddb5efff0dd91f75b22ccce5\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 12 of 13\n\nFilename MD5 SHA-1 SHA-256\r\nintel.wll 59a55c7bbc0ee488ec9e2cf50b792a56 a29ce0331015f2a3e87fd7fe1ce9dae228808b59 1b978324df504451c2a3430e32dc577\r\n360ShellPro.exe d5e42cc18906f09d5bab62df45b5fcf6 46833928f75db90220451e026997d039730906fa 1acd3cbc83dd4153f07b869b3142594\r\nFileSmasher.exe ea628fef3b547a1476d915963415e64c 07dbfaa430a201ce81f5079dd1e48379fac27177 f2c60274e625bcb051909797b35095d\r\nmotivation[.]neighboring[.]site\r\nwalker[.]shopbopstar[.]top\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/" ], "report_names": [ "covid-19-and-new-year-greetings-the-higaisa-group" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e6c64ba5-12e1-4f04-97d5-077d83da95e1", "created_at": "2024-10-08T02:00:04.466964Z", "updated_at": "2026-04-10T02:00:03.724238Z", "deleted_at": null, "main_name": "SongXY", "aliases": [], "source_name": "MISPGALAXY:SongXY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434425, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21d17d8989661a5be08a19a688c6e33dc67b4022.pdf", "text": "https://archive.orkl.eu/21d17d8989661a5be08a19a688c6e33dc67b4022.txt", "img": "https://archive.orkl.eu/21d17d8989661a5be08a19a688c6e33dc67b4022.jpg" } }